As other have said, you don't need to terminate the EAP-TLS on the controller, not terminating on the controller, simplifies the setup.
Just be sure to have a look at the "termination" checkbox under the 802.1x profile on the controller. If this box is unchecked, the Aruba controller will just pass along the EAP-TLS traffic to the destined RADIUS server for approval.
Domain comupters will need to show a certificate for validation, but as you say, the windows mobile is unable to be a member of the domain.
Domain computers automatically recieves a certificate when they are added to the domain, so you will have to manually load a valid certificate into the windows mobile phone for EAP-TLS to work.
Mosher